YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[Jack Yaz]

I don't have ipv6 enabled.

Interesting results when I temporarily disable Skynet.

1) Ping from main wireless (10.100.100.x) to guest (10.100.2.x) > failed (this passed before)
2) Ping from main wired (10.100.100.x) to guest (10.100.2.x) > failed (this is unchanged)
3) Ping from guest (10.100.2.x) to guest (10.100.2.x) > pass (this is unchanged)

edit: not sure if this info will help but here goes anyway:

Guest network: all devices get IP through DHCP
Main network: all existing devices have a static ip, DHCP enabled for new devices (none connected that don't have static IP as of now)

I think I have got this fixed in the develop branch, I will PM you with a link to a patched script.

Essentially the issue is that I was only blocking new connections - any related/established could pass through. While this seemed fine in 99% of my testing, I found that in some situations connections would be allowed. YazFi will now block connections regardless of state, and I have moved the YazFi chain insertion as below:

From
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j YazFiFORWARD

to
-A FORWARD -j YazFiFORWARD
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

EDIT: This addresses points 1 and 2, 3 I have a fix I'm trying locally before pushing to the script

 

[infra_red_dude]

...
EDIT: This addresses points 1 and 2, 3 I have a fix I'm trying locally before pushing to the script

Confirmed the change fixes 1 and 2! Many thanks

 

[Jack Yaz]

YazFi v2.3.9 has been released

Changelog:

Update YazFi to fix isolation of guest from other networks

YazFi now blocks regardless of connection state

To update:

/jffs/scripts/YazFi update

Many thanks to @infra_red_dude for helping me track down the issue - I recall a user previously had a similar issue, but at the time, I could not re-create it

 

[bagurdin]

Hello!
I have Asus AC66U and i want that users from guest network were able to connect to local dns (pihole).
Here is config:

wl01_ENABLED=true
wl01_IPADDR=172.18.0.0
wl01_DHCPSTART=160
wl01_DHCPEND=199
wl01_DNS1=172.16.0.2
wl01_DNS2=172.16.0.2
wl01_FORCEDNS=true
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=
wl01_LANACCESS=
wl01_CLIENTISOLATION=

Does this feature work in YazFi v2.3.9?

 

[Jack Yaz]

Hello!
I have Asus AC66U and i want that users from guest network were able to connect to local dns (pihole).
Here is config:

wl01_ENABLED=true
wl01_IPADDR=172.18.0.0
wl01_DHCPSTART=160
wl01_DHCPEND=199
wl01_DNS1=172.16.0.2
wl01_DNS2=172.16.0.2
wl01_FORCEDNS=true
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=
wl01_LANACCESS=
wl01_CLIENTISOLATION=

Does this feature work in YazFi v2.3.9?

It should indeed! Let me know if you run into any issues

 

[bagurdin]

It should indeed! Let me know if you run into any issues

It doesn't work for me

 

[Jack Yaz]

It doesn't work for me

What does

iptables -S YazFiFORWARD

look like?

 

[bagurdin]

What does

iptables -S YazFiFORWARD

look like?

iptables -S YazFiFORWARD
iptables v1.3.8: Unknown arg `-S'

iptables -L YazFiFORWARD
Chain YazFiFORWARD (1 references)
target     prot opt source               destination
YazFiREJECT  all  --  anywhere             anywhere
YazFiREJECT  all  --  anywhere             anywhere
YazFiREJECT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

 

[Jack Yaz]

iptables -S YazFiFORWARD
iptables v1.3.8: Unknown arg `-S'

iptables -L YazFiFORWARD
Chain YazFiFORWARD (1 references)
target     prot opt source               destination
YazFiREJECT  all  --  anywhere             anywhere
YazFiREJECT  all  --  anywhere             anywhere
YazFiREJECT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Ah, which firmware version are you running?

 

[bagurdin]

Ah, which firmware version are you running?

Firmware:380.70

 

[Jack Yaz]

Firmware:380.70

Ah - that's older than the minimum requirement.

What does

 modprobe xt_comment

return? I'm expecting it will fail

 

[bagurdin]

Ah - that's older than the minimum requirement.

What does

 modprobe xt_comment

return? I'm expecting it will fail

modprobe: module xt_comment not found in modules.dep

 

[Jack Yaz]

modprobe: module xt_comment not found in modules.dep

Ah - your version of iptables is a bit too old :/

 

[Jack Yaz]

I'm getting ready to unveil YazFi v3.0.0 which moves to a menu system (commands are still supported!) - ready for integration with amtm

Are there any willing testers out there?

 

[cmkelley]

I'm getting ready to unveil YazFi v3.0.0 which moves to a menu system (commands are still supported!) - ready for integration with amtm

Are there any willing testers out there?

I'd much rather be doing that than doing what I am doing this weekend, which is going to the funeral of a very good friend taken way too early by metastatic breast cancer. :-( I'm planning on being far too drunk to be of much use testing.

 

[Jack Yaz]

I'd much rather be doing that than doing what I am doing this weekend, which is going to the funeral of a very good friend taken way too early by metastatic breast cancer. :-( I'm planning on being far too drunk to be of much use testing.

Sorry to hear that - all the best, and while tempting, don't drink too much

 

[infra_red_dude]

I'm getting ready to unveil YazFi v3.0.0 which moves to a menu system (commands are still supported!) - ready for integration with amtm

Are there any willing testers out there?

/me raises hand up to be guinea pig

I can surely help test the use cases that I currently use YazFi for (guest isolation, separate subnet etc., no VPN though).

 

[HuskyHerder]

I'm getting ready to unveil YazFi v3.0.0 which moves to a menu system (commands are still supported!) - ready for integration with amtm

Are there any willing testers out there?

Hey Jack,

I finally managed to acquire a testing device an 68U apart from my normal network setup, I can give it a whirl.

Obviously it will not be on my 5300 due to my network setup, so I can't try the extra radios.

 

[cmkelley]

Sorry to hear that - all the best, and while tempting, don't drink too much

I'm a lightweight. Far too drunk = 3 or 4 rum and cokes.

 

[L&LD]

I'm getting ready to unveil YazFi v3.0.0 which moves to a menu system (commands are still supported!) - ready for integration with amtm

Are there any willing testers out there?

Jack Yaz,

I am running an RT-AC3100 as the main router and an RT-AC68U as an AP.

I'm not sure if your script can support this setup? If it does; great!

If it doesn't; I'm willing to drop the RT-AC68U to test your v3.0 script out. Having it be 'amtm' compliant is a huge boost in usabilty. I've just recently started using amtm and I know I'm lost without it.

If you want feedback from a newbie, I'll do my best to help.